Hi @QJ_HAPPY
Each key has 6 flag associated with it, one of these is Key Usage Flag (KEY_USAGE), that determines if a key is used for encryption/decryption or for CMAC generation/verification.
Regarding of how to return to the factory settings when CSE is enabled, the only way to restore it is with a mass erase, for this you need to run CMD_DBG_CHAL and CMD_DBG_AUTH commands to destroy the partition and then you can run mass erase. But if any CSEc key is ‘write-protected’ the above procedure will not work thus mass erase cannot be launched.
Take a look to these application notes, they will be useful for you.
Getting Started with CSEc Security Module
Production Flash Programming Best Practices for S32K1xx MCUs
B.R
VaneB
